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DETAILED ACTION 

1. This office action is in reply to an amendment filed on November 06, 
2008. Claims 1-33 are pending and examined. 

Priority 

2. This application does not claim priority of an application. Therefore, the 
effective filling date for the subject matter defined in the pending claims 
of this application is 07/02/2004. 

Response to Arguments 

3. Applicant's remark/ arguments filed on November 06, 2008 have been 
fuUy considered but they are not persuasive. 

Applicant's representative first argued that there is no motivation to 
combine the two reference/ s on the record (namely the IBM and 
Laksono) 

Applicant's representative specifically wrote the following in support of 
his argument. 

"There is no motivation to combine IBM with Laksono because any 
combination of IBM with Laksono would render IBM unsuitable for its 
intended function. IBM describes a system for defining administrative roles 
in a UNIX system that allows any user to execute a particular command, 
but provides some users with specific privileges when executing that 
particular command. See IBM, p. 4. The system described by IBM 
accomplishes this by associating privileges "directly with the program file" 
so that "any method of executing the command will work. " See IBM p. 4. In 
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contrast, Laksono describes preventing users from controlling a media 
device in the absence of authentication of a hand held device using "the 
identity of the hand held device and/or its password. " See Laksono, p. 4 
paragraph 40. Combining IBM with Laksono would create a system where 
commands can only be executed by authenticated users. Thus, any 
combination of IBM with Laksono would fail to produce a system that 
allows any user to execute a particular command. For this reason, there is 
no motivation to combine IBM with Laksono. " 
Examiner disagrees with the above argument. 
Examiner counters the above argument for the reason that a close 
review of the reference/ s on the record reveals that there is a clear 
motivation to combine the two reference/ s with out rendering the 
primary reference/ s (IBM) unsuitable for its intended function. 

As it is admitted by the applicant's submitted argument some 

users requires a specific privileges when executing particular 
command. However such privilege which is taught by the IBM 
reference/ s is "the least privilege mechanism" and is found to be 
different from "a minimal set of computing privileges necessary for 
the user to use the requested application" as it is required by the 
claims. However employing Laksnon's teaching of "determining a 
minimal set of computing privileges necessary for the user to use 
the requested application" into the primary IBM reference/ s does 
not necessarily create a system where all users should be 
authenticated in order to execute commands as argued by the 
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applicant's representative, even if it does contrary to the 

applicant's representative argument does not make the primary 

reference non-operational because employing this feature such as 

determining a minimal set of computing privileges necessary for 

the user to use the requested application or to execute a command 

would undoubtedly enhance the security of the system by the 

introducing/ strengthening the access-control mechanism. 

Furthermore in response to applicant's argument that there is no 
motivation or suggestion to combine the references, the examiner 
recognizes that obviousness can only be established by combining 
or modifying the teachings of the prior art to produce the claimed 
invention where there is some teaching, suggestion, or motivation 
to do so found either in the references themselves or in the 
knowledge generally available to one of ordinary skill in the art. 
See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988) 
and In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992). 
In this case, the motivation to combine the two reference /s is not 
only available to one of ordinary skill in the art but also in the 
secondary reference on the record and the motivation is to build a 
secure monitoring system and enhance the security or "the access 
control system" [See Laksono at least on paragraph 0010] 

For the rest of the argument presented by the applicant's representative 
examiner would like to point out the following would clarify how 
examiner interprets the claim limitation and how each and every 
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limitation of the claim is disclosed by the combination of the reference/ s 
on the record. 



For instance, referring to independent claims land 26 IBM discloses 
a method for providing secure access to applications [Page 3, lines 

32-34\ [This is extended by means of a Privilege Control List mechanism, 
which works in much the same way as the Access Control List mechanism 
described in the following article) 
the method comprising the steps of: 

• Receiving a request from a user to execute an application 

[Page 4, lines 19-20 and page 4, lines 16- 17 [On page 4, lines 19-20, see 
"the command is executed by direct user invocation by shell script or via 
system call or subroutine."" and on page 4, lines 16-17, see "any method 
executing the command"); 

• Determining a minimal set of computing privileges necessary 
for the user to use the requested application [Page 3, lines 29-34] (The 
disclosed mechanism works in conjunction with the least privilege 
mechanism described in (*), which describes mechanism for associating a 
set of discrete privileges with a file. This is extended by means of a 
Privilege Control List mechanism, which works in much the same way as 
the Access Control List mechanism described in the following article. The 
submitted specification on paragraph 0005 disclosed the following. "The 
principle of least privilege ensures that an application runs with the 
minimal amount of permissions necessary to accomplish its assigned 
tasks".); and 
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• Invoking an execution environment for the user having 

the determined set of privileges [Page 4, lines 16-18 and page 4, 

lines 18-21] (On page 4, lines 16-18, the following has been 

disclosed, "any method of executing the command will 'work' - that 

is, the invoker will acquire the correct privileges. " Furthermore 

on page 4, lines 18-21, the following has been disclosed, "this 

method allows privilege to be acquired whether the command is 

executed by direct user invocation, by shell script or via system 

call or subroutine. ") 

Though IBM teaches "the least privilege mechanism" as shown 
above it does not explicitly disclose "determining a minimal set of 
computing privileges necessary for the user to use the requested 
application" 

However, in the same field of endeavor Laksono on paragraph 
0032, discloses the following. 

"The process begins at step 80, where a hand held device of the 
multimedia system transmits a remote control/ monitoring request 
to a server of the multimedia system" and this meets the limitation 
recited as "Receiving a request from a user to execute an 
application" because the hand held device as disclosed on 
paragraph 0024 could be any kind of device including a laptop 
which can be operated by the user. 

And Laksono on paragraph 0034 discloses the following. 
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"The process proceeds to step 84 where the server determines 

remote control and monitoring privileges of the hand held device. 

The determination of the privileges wiU be described in greater 

detail with reference to FIG. 8. The process continues at step 86 

where the server determines whether the hand held device has 

at least a minimum level of remote control and monitoring 

privileges." and this meets the limitation recited as "Determining 

a minimal set of computing privileges necessary for the user to use 

the requested application" 

And finally Laksono on paragraph 0035 discloses the following. 
"If the hand held device has a minimal level of privileges, the 
process proceeds to step 90, where the server processes the 
remote control/ monitoring request with respect to at least one of 
the plurality of clients to produce operational monitoring data." 
And this meets the limitation recited as "Invoking an execution 
environment for the user having the determined set of privileges" 

It would have been obvious to one having ordinary skill in the art, 
at the time the invention was made, to combine the feature such 
as "determining a minimal set of computing privileges 
necessary for the user to use the requested application" 

as per teachings of Laksono into the method as taught by Ibm in 
order to build a secure monitoring system and enhancing the 
security or "the access control" of the system. [See Laksono at 
least paragraph 0010] 
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Thus for the reason above the office maintained the previous 

rejection. 

Claim Rejections - 35 USC §103 



4. ^J^^ift^ 1-33 are rejected under 35 U.S.C. 103(a) unpatentable over 
Publication, IBM Technical Disclosure Bulletin, title, "Administrative Role 
Configuration with Control Lists" TDB-ACC-NO: NB91 12110 (hereinafter 
referred as IBM) (Publication date: December 1, 1991) (Submitted in the 
pervious office action) in view of Laksono (hereinafter referred as 
Laksono) (U.S. Publication No. 2003/0046584 Al) (filed on: September 
5, 2001) 

5. As per independent claims 1. 26 and dependent claims 30. 32 IBM 
discloses a method for providing secure access to applications [Page 
3, lines 32-34\ {This is extended by means of a Privilege Control List 
mechanism, which works in much the same way as the Access Control List 
mechanism described in the following article) 

the method comprising the steps of: 

• Receiving a request from a user to execute an application 

[Page 4, lines 19-20 and page 4, lines 16- 17 [On page 4, lines 19-20, see 
"the command is executed by direct user invocation by shell script or via 
system call or subroutine."" and on page 4, lines 16-17, see "any method 
executing the command"); 

• Determining a minimal set of computing privileges necessary 
for the user to use the requested application [Page 3, lines 29-34] (The 
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disclosed mechanism works in conjunction with the least privilege 

mechanism described in (*), which describes mechanism for associating a 

set of discrete privileges with a file. This is extended by means of a 

Privilege Control List mechanism, which works in much the same way as 

the Access Control List mechanism described in the following article. The 

submitted specification on paragraph 0005 disclosed the following. "The 

principle of least privilege ensures that an application runs with the 

minimal amount of permissions necessary to accomplish its assigned 

tasks".); and 

• Invoking an execution environment for the user having 
the determined set of privileges [Page 4, lines 16-18 and page 4, 
lines 18-21] (On page 4, lines 16-18, the following has been 
disclosed, "any method of executing the command will 'work' - that 
is, the invoker will acquire the correct privileges. " Furthermore 
on page 4, lines 18-21, the following has been disclosed, "this 
method allows privilege to be acquired whether the command is 
executed by direct user invocation, by shell script or via system 
call or subroutine. ") 

Though IBM teaches "the least privilege mechanism" as shown 
above it does not explicitly disclose "determining a minimal set of 
computing privileges necessary for the user to use the requested 
application" 

However, in the same field of endeavor Laksono on paragraph 
0032, discloses the following. 
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"The process begins at step 80, where a hand held device of the 

multimedia system transmits a remote control/ monitoring request 

to a server of the multimedia system" and this meets the limitation 

recited as "Receiving a request from a user to execute an 

application" because the hand held device as disclosed on 

paragraph 0024 could be any kind of device including a laptop 

which can be operated by the user. 

And Laksono on paragraph 0034 discloses the following. 

"The process proceeds to step 84 where the server determines 
remote control and monitoring privileges of the hand held device. 
The determination of the privileges wiU be described in greater 
detail with reference to FIG. 8. The process continues at step 86 
where the server determines whether the hand held device has 
at least a minimum level of remote control and monitoring 
privileges." and this meets the limitation recited as "Determining 
a minimal set of computing privileges necessary for the user to use 
the requested application" 

And finally Laksono on paragraph 0035 discloses the following. 
"If the hand held device has a minimal level of privileges, the 
process proceeds to step 90, where the server processes the 
remote control/ monitoring request with respect to at least one of 
the plurality of clients to produce operational monitoring data." 
And this meets the limitation recited as "Invoking an execution 
environment for the user having the determined set of privileges" 
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It would have been obvious to one having ordinary skill in the art, 

at the time the invention was made, to combine the feature such 

as "determining a minimal set of computing privileges 

necessary for the user to use the requested application" 

as per teachings of Laksono into the method as taught by Ibm in 
order to build a secure monitoring system and enhancing the 
security or "the access control" of the system. [See Laksono at 
least paragraph 0010] 
6. As per independent claims 15 & 29. and dependent claims 16. 31. 
33 IBM discloses an application server system providing secure 
access to hosted applications, [Page 3, lines 32-34] (On page 3, lines 32- 
34, the following for instance has been disclosed. This is extended by 
means of a Privilege Control List mechanism, which works in much the 
same way as the Access Control List mechanism described in the following 
article and this meets the limitation recited as "providing secure access to 
hosted application) the system comprising: 

• A policy based decision system receiving a request from a 
user to execute an application [On page 3, lines 32-34, the following for 
instance has been disclosed. This is extended by means of a Privilege 
Control List mechanism, which works in much the same way as the Access 
Control List mechanism described in the following article and this meets 
the limitation of a policy based decision system. Furthermore, on page 3, 
lines 34-page 4, line 1, the following has been disclosed. A Privilege 
Control List (PCL) consists of an unordered set of Privilege Control Entries. 
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Each entry consists of a list of typed identifiers and a set of privileges. The 
list of typed identifiers defines the circumstances under which the 
privileges will be granted and this also meets the limitation recited as "A 
policy based decision system") receiving a request from a user to 
execute an application (Page 3, lines 32-34, Page 4, lines 19-20 and 
page 4, lines 16-17][On page 4, lines 19-20, see "the command is executed 
by direct user invocation by shell script or via system call or subroutine. " 
and on page 4, lines 16-1 7, see "any method executing the command"); 
and determining a minimal set of privileges required by the user to 
execute the application [Page 3, lines 29-34] (The disclosed mechanism 
works in conjunction with the least privilege mechanism described in (*), 
which describes mechanism for associating a set of discrete privileges with 
a file. This is extended by means of a Privilege Control List mechanism, 
which works in much the same way as the Access Control List mechanism 
described in the following article.); 

• An account administration service in communication with 
said policy based decision system, the account administration 
service invoking an execution environment for the user having the 
determined set of privileges; [See page 4, lines 12-23] (On page 4, lines 
12-23, the following has been disclosed. "Since the commands themselves 
do not enforce policy, the administrator who controls privilege 
assignment is free to configure the system roles in whatever 
manner is appropriate for the local system", and this meets "the 
account administration service". Furthermore the following has been 
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disclosed- "This mechanism is also compatible with existing practice. 

Because the privilege is associated directly with the program file, any 

method of executing the command will 'work' - that is, the invoker will 

acquire the correct privileges. Unlike the second mechanism described 

above, this method allows privilege to be acquired whether the command 

is executed by direct user invocation, by shell script or via system call or 

subroutine. - Lastly, this mechanism allows privilege to be granted based 

on arbitrary combinations of identifiers, thus increasing the flexibility with 

which the system privilege control policy can be defined" and this meets 

the limitation "an account administration service in communication with 

said policy based decision system, the account administration service 

invoking an execution environment for the user having the determined set 

of privileges".) and 

A connection manager in communication with said policy based 
decision system [See again page 4, lines 19-20 and 4, lines 16-1 7 "the 
entity/ interface receiving client's request/ execution command meet the 
limitation of connection manager and this interfaces between the user and 
the Privilege Control List system/ policy based decision system"], said 
connection manager receiving from a client system an RDP request 
by the user to execute the application [Page 4, lines 1 9-20 and page 4, 
lines 16-1 7] [On page 4, lines 19-20, see "the command is executed by 
direct user invocation by shell script or via system call or subroutine. "" and 
on page 4, lines 16-17, see "any method executing the command") ;a.nd 
transmitting to said policy based decision system an identification 
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of said user and an identification of said application. /See on page 3, 
lines 32-page 4, line 1 and page 4, lines 1 6-23] (On page 3, lines 32-page 
4, the following has been disclosed. This is extended by means of a 
Privilege Control List mechanism, which works in much the same way as 
the Access Control List mechanism described in the following article. A 
Privilege Control List (PCL) consists of an unordered set of Privilege Control 
Entries. Each entry consists of a list of typed identifiers and a set of 
privileges. The list of typed identifiers defines the circumstances under 
which the privileges will be granted. This meets the limitation recited as 
"policy based decision system based on identification of said user". 
Furthermore, the following has been stated. "This mechanism is also 
compatible with existing practice. Because the privilege is associated 
directly with the program file and this meets the limitation recited as 
"policy based decision system based on identification of said application", 
any method of executing the command will 'work' - that is, the invoker will 
acquire the correct privileges. Unlike the second mechanism described 
above, this method allows privilege to be acquired whether the command 
is executed by direct user invocation, by shell script or via system call or 
subroutine. - Lastly, this mechanism allows privilege to be granted based 
on arbitrary combinations of identifiers, thus increasing the flexibility with 
which the system privilege control policy can be defined 

Though IBM teaches "the least privilege mechanism" as shown 
above it does not explicitly disclose "determining a minimal set of 
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computing privileges necessary for the user to use the requested 

application" 

However, in the same field of endeavor Laksono on paragraph 
0032, discloses the following. 

"The process begins at step 80, where a hand held device of the 
multimedia system transmits a remote control/ monitoring request 
to a server of the multimedia system" and this meets the limitation 
recited as "Receiving a request from a user to execute an 
application" because the hand held device as disclosed on 
paragraph 0024 could be any kind of device including a laptop 
which can be operated by the user. 

And Laksono on paragraph 0034 discloses the following. 

"The process proceeds to step 84 where the server determines 
remote control and monitoring privileges of the hand held device. 
The determination of the privileges wiU be described in greater 
detail with reference to FIG. 8. The process continues at step 86 
where the server determines whether the hand held device has 
at least a minimum level of remote control and monitoring 
privileges." and this meets the limitation recited as "Determining 
a minimal set of computing privileges necessary for the user to use 
the requested application" 

And finally Laksono on paragraph 0035 discloses the following. 
"If the hand held device has a minimal level of privileges, the 
process proceeds to step 90, where the server processes the 
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remote control/ monitoring request with respect to at least one of 

the plurality of clients to produce operational monitoring data." 

And this meets the limitation recited as "Invoking an execution 

environment for the user having the determined set of privileges" 

It would have been obvious to one having ordinary skill in the art, 
at the time the invention was made, to combine the feature such 
as "determining a minimal set of computing privileges 
necessary for the user to use the requested application" 

as per teachings of Laksono into the method as taught by Ibm in 
order to build a secure monitoring system and enhance the 
security or "the access control" of the system. [See Laksono at 
least paragraph 0010] 
7. As per dependent claims 2-3 and 17-18 the combination of IBM and 
Laksono discloses a method as applied to claims above. 
Furthermore, IBM discloses the method, comprising the further step 
of: returning an identifier for the execution environment to the 
requesting user. [Page 4, lines 1 8-23 and page 3, lines 34-page 4, lines 4] 
(For instance on page 4, lines 18-23 the following has been disclosed. 
"This mechanism allows privilege to be granted based on arbitrary 
combinations of identifiers, thus increasing the flexibility with which 
the system privilege control policy can be defined. " Furthermore on page 3, 
lines 34-page 4, lines 4, the following has been disclosed. "A Privilege 
Control List (PCL) consists of an unordered set of Privilege Control Entries. 
Each entry consists of a list of typed identifiers and a set of privileges. The 
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list of typed identifiers defines the circumstances under which the 

privileges will be granted, and the format of the data structures permits 

extension to arbitrary types of identifiers") 

8. As per dependent claim 4 the combination of IBM and Laksono 
discloses a method as applied to claims above. Furthermore, IBM 
discloses the method, wherein step (a) comprises receiving an HTTP- 
based request from a user to execute an application. [Page 4, lines 19- 
20 and page 4, lines 16-1 7[On page 4, lines 19-20, see "the command is 
executed by direct user invocation by shell script or via system call or 
subroutine."" and on page 4, lines 16-17, see "any method executing the 
command"); 

9. As per dependent claims 5-8. 20-25 and 27-28 the combination of 
IBM and Laksono discloses a method as applied to claims above. 
Furthermore, IBM discloses the method, wherein step (b) comprises 
accessing a policy-based decision system to determine a minimal set 
of computing privileges necessary for the user to use the requested 
application. [Page 3, lines 29-34 and page 3, lines 35- page 4, line 4] (The 
disclosed mechanism works in conjunction with the least privilege 
mechanism described in (*), which describes mechanism for associating a 
set of discrete privileges with a file. This is extended by means of a 
Privilege Control List mechanism, which works in much the same way as 
the Access Control List mechanism described in the following article.) 

10. As per dependent claims 9 and 19 the combination of IBM and 
Laksono discloses a method as applied to claims above. 
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Furthermore, IBM discloses the method, further comprises 

determining a minimal set of computing privileges necessary for the 

user to use the requested application based, at least in part, on a 

role assigned to the user, [page 4, lines 12-14 ][See at least the title, 

"administrative role configuration" with privilege control lists and see on 

page 4, lines 12-14, "Since the commands themselves do not enforce 

policy, the administrator who controls privilege assignment is free to 

configure the system roles in whatever manner is appropriate for the local 

system" and on page Page 3, lines 29-34 and page 3, lines 35- page 4, 

line 4, see "the least privilege mechanism") 

11. As per dependent claims 10-13 the combination of IBM and 
Laksono discloses a method as applied to claims above. 
Furthermore, IBM discloses the method, wherein step (c) further 
comprises creating an execution environment for the user having 
the determined set of privileges. [Page 4, lines 16-18 and page 4, lines 
18-21] (On page 4, lines 16-18, the following has been disclosed, "any 
method of executing the command will 'work' - that is, the invoker will 
acquire the correct privileges." Furthermore on page 4, lines 18-21, the 
following has been disclosed, "this method allows privilege to be acquired 
whether the command is executed by direct user invocation, by shell 
script or via system call or subroutine. ") 

12. As per dependent claims 14 the combination of IBM and Laksono 
discloses a method as applied to claims above. Furthermore, IBM 
discloses the method, further comprising the steps of initiating a 
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connection with a client system associated with the user. [Page 4, 
lines 16-18 and page 4, lines 18-21] (See for instance, command is 
executed by direct user invocation) 

Conclusion 

13. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension 
of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire 
THREE MONTHS from the mailing date of this action. In the event a first 
reply is filed within TWO MONTHS of the mailing date of this final action 
and the advisory action is not mailed until after the end of the THREE- 
MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension 
fee pursuant to 37 CFR 1. 136(a) will be calculated from the mailing date 
of the advisory action. In no event, however, will the statutory period for 
reply expire later than SIX MONTHS from the mailing date of this final 
action. 

Any inquiry concerning this communication or earlier communications 
from the examiner should be directed to Samson B Lemma whose 
telephone number is 571-272-3806. The examiner can normally be 
reached on Monday-Friday (8:00 am---4: 30 pm). 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, BARRON JR GILBERTO can be reached on 57 1 - 

272-3799. The fax phone number for the organization where this 
application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status 
information for published applications may be obtained from either 
Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more 
information about the PAIR system, see http://pair-direct.uspto.gov. 
Should you have questions on access to the Private PAIR system, contact 
the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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